b'                       u.s. SMALL BusINEss ADMINISTRATION\n                           OFFICE OF INSPECTOR GENERAL\n                                AUDITING DIVISION\n\n\n\n                                                               AUDIT REPORT\n                                                      Issue Date: November 13, 2009\n                                                      Number: 10-04\n\nTo:           Jonathan 1. Carver\n              Chief Financial Officer\n               C-oL "-<..:1\nFrom:         Debra S. Ritt\n              Assistant Inspector General for Auditing\n\nSUbject:      Audit of SBA\'s FY 2009 Financial Statements\n\n\nPursuant to the CbiefFinancial Officer\'s Act of 1990, attached is a copy of the\nIndependent Auditors\' Report issued by KPMG LLP on the Small Business\nAdministration\'s financial statements for the fiscal year ended September 30, 2009. The\naudit was perfonned under a contract with the Office of Inspector General (OIG) and in\naccordance with Generally Accepted Government Auditing Standards; Office of\nManagement and Budget\'s (OMB) Bulletin 07-04, Audit Requirements for Federal\nFinancial Statements, as amended; the Government Accountability Office\n(GAO)/President\'s Council on Integrity and Efficiency (pCIE) Financial Audit Manual; and\nGAO\'s Federal Information System Controls Audit Manual.\n\nThe KPMG report concluded that SBA\'s consolidated financial statements presented fairly.\nin all material respects, the financial position of SBA as of and for the years ended.\nSeptember 30, 2009 and 2008. It also presented fairly, in all material respects, SBA\'s net\ncosts, changes in net position, and combined statements of budgetary resources for the years\nthen ended.\n\nWith respect to internal controls, KPMG reported a material weakness over financial\nreporting, and continued to report a significant deficiency related to Information Technology\nsecurity controls. Details regarding the matters that led to the auditor\'s conclusion on\ninternal controls are further discussed in Exhibits I and n of the Independent Auditors\'\nReport. KPMG\'s test for compliance with certain laws, regulations, contracts and grant\nagreements detennined that the Agency did not fully comply with the Debt Collection\nImprovement Act of 1996 because SBA did not consistently follow Treasury guidelines for\nreferring delinquent debts for collection. Details regarding the auditor\'s conclusion are\nincluded in the "Compliance and Other Matters" section of the Independent Auditors\'\nReport. The auditors did not report any other instances or matters regarding noncompliance.\n\nWe provided a draft ofKPMG\'s report to SBA\'s Chief Financial Officer (CFO), who\nconcurred with its findings and recommendations and agreed to implement the\nrecommendati~ns. The CFO is delighted that SBA has again received an unqualified\n\n                                                                                         1\n\x0caudit opinion ~d believes these results accurately reflect the quality of the Agency\'s\nfinancial statements and its improved accounting, budgeting and reporting processes.\n\nWe reviewed a copy ofKPMG\'s report and related documentation and made necessary\ninquiries of their respective representatives. Our review was not intended to enable us to\nexpress, and we do not express, an opinion on the SBA\'s financial statements, KPMG\'s\nconclusions about the effectiveness ofinterna1 control, or its conclusions about SBA\'s\ncompliance with laws and regulations. However, our review disclosed no instances where\nKPMG did not comply, in all material respects, with Generally Accepted Government\nAuditing Standards.\n\nWe appreciate the cooperation and assistance of SBA and KPMG. Should you or your staff\nhave any questions, please contact me at (202) 205-lD..z.Jor Jeffrey R. Brindle, Director,\nInformation Tecbnology and Financial Management Group at (202) 205\xc2\xb7 (-0\'. _\'2..")\n\nAttachment\n\n\n\n\n                                                                                         2\n\x0c                               KPMG LLP\n                               2001 M Street: NW\n                               Washington, DC 20036\n\n\n\n\n                                      Independent Auditors\' Report\n\n\nOffice of Inspector General,\nu.s. Small Business Administration:\nWe have audited the accompanying consolidated balance sheets of the u.s. Small Business Administration\n(SBA) as of September 30,2009 and 2008, and the related consolidated statements of net cost and changes\nin net position, and combined statements of budgetary resources (hereinafter referred to as "consolidated\nfinancial statements") for the years then ended. The objective of our audits was to express an opinion on\nthe fair presentation of these consolidated financial statements. In connection with our fiscal year 2009\naudit, we also considered SBA\' s internal control over financial reporting and tested SBA\' s compliance\nwith certain provisions of applicable laws, regulations, contracts, and grant agreements that could have a\ndirect and material effect on these consolidated financial statements.\n\nSummary\nAs stated in our opinion on the consolidated financial statements, we concluded that SBA\'s consolidated\nfinancial statements as of and for the years ended September 30, 2009 and 2008, are presented fairly, in all\nmaterial respects, in conformity with U.S. generally accepted accounting principles.\n\nOur opinion emphasized SBA\'s implementation of Statement of Federal Financial Accounting Standards\n(SFF AS) No. 31, Accountingfor Fiduciary Activities.\n\nOur consideration of internal control over financial reporting resulted in identifYing a certain deficiency\nthat we consider to be a material weakness, item number 1, and other deficiencies that we consider to be a\nsignificant deficiency, item number 2, as follows:\n\n1 Improvement Needed in Internal Controls over Financial Reporting\n2 Improvement Needed in Information Technology (IT) Security Controls\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant\nagreements disclosed one instance of noncompliance that is required to be reported herein under\nGovernment Auditing Standards and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit\nReqUirements for Federal Financial Statements, as amended.\n\n3   Noncompliance with the Debt Collection Improvement Act\n\nThe following sections discuss our opinion on the SBA\'s consolidated financial statements; our\nconsideration of the SBA\'s internal control over financial reporting; our tests of SBA\'s compliance with\ncertain provisions of applicable laws, regulations, contracts, and grant agreements; and management\'s and\nour responsibilities.\n\nOpinion on the Financial Statements\nWe have audited the accompanying consolidated balance sheets of SBA as of September 30, 2009 and\n2008 and the related consolidated statements of net cost and changes in net position, and the combined\nstatements of budgetary resources for the years then ended.\n\x0cu.s. Small Business Administration\nNovember 13, 2009\nPage 2 of4\n\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material\nrespects, the financial position of SBA as of September 30, 2009 and 2008 and its net costs, changes in net\nposition, and budgetary resources for the years then ended, in conformity with u.S. generally accepted\naccounting principles.\n\nAs stated in Note 4 to the financial statements, SBA implemented the requirements of SFFAS No. 31 in\nfiscal year 2009.\n\nThe information in the Management\'s Discussion and Analysis, Required Supplementary Information, and\nRequired Supplementary Stewardship Information sections is not a required part of the consolidated\nfinancial statements, but is supplementary information required by u.S. generally accepted accounting\nprinciples. We have applied certain limited procedures, which consisted principally of inquiries of\nmanagement regarding the methods of measurement and presentation of this information. However, we did\nnot audit this information and, accordingly, we express no opinion on it.\n\nInternal Control Over Financial Reporting\nOur consideration of the internal control over financial reporting was for the limited purpose described in\nthe Responsibilities section of this report and was not designed to identify all deficiencies in the internal\ncontrol over financial reporting that might be deficiencies, significant deficiencies, or material weaknesses.\n\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent or\ndetect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a\ncombination of deficiencies, in internal control that is less severe than a material weakness, yet important\nenough to merit attention by those charged with governance. A material weakness is a deficiency, or\ncombination of deficiencies, in internal control, such that there is a reasonable possibility that a material\nmisstatement of the entity\'s financial statements will not be prevented or detected and corrected on a\ntimely basis.\n\nIn our fiscal year 2009 audit, we identified a deficiency in internal control over financial reporting that we\nconsider a material weakness, as described in Exhibit I, and other deficiencies that we consider to be a\nsignificant deficiency, as described in Exhibit II. Exhibit III presents the status of the prior year significant\ndeficiency.\n\nWe noted certain additional matters that we have reported to management of SBA in a separate letter dated\nNovember 13, 2009.\n\nCompliance and Other Matters\nThe results of our tests of compliance described in the Responsibilities section of this report, exclusive of\nthose referred to in the Federal Financial Management Improvement Act of 1996 (FFMIA), disclosed one\ninstance of noncompliance that is required to be reported herein under Government Auditing Standards or\nOMB Bulletin No. 07-04.\n\nAs stated in its Federal Managers\' Financial Integrity Act (FMFIA) Assurance Statement, SBA\nmanagement reported the agency was noncompliant with the Debt Collection Improvement Act in fiscal\nyear 2009 due to instances where it did not refer a substantial number of charged off loans to Treasury for\noffset and cross servicing.\n\x0cu.s. Small Business Administration\nNovember 13,2009\nPage 3 of4\n\n\nThe results of our tests of FFMIA disclosed no instances in which SBA\' s financial management systems\ndid not substantially comply with the: (1) Federal financial management systems requirements;\n(2) applicable Federal accounting standards; and (3) the U.S. Standard General Ledger at the transaction\nlevel.\n\n                                                *******\n\nResponsibilities\nManagement\'s Responsibilities. Management is responsible for the consolidated financial statements;\nestablishing and maintaining effective internal control; and complying with laws, regulations, contracts,\nand grant agreements applicable to SBA.\n\nAuditors\' Responsibilities. Our responsibility is to express an opinion on the fiscal year 2009 and 2008\nconsolidated financial statements of SBA based on our audits. We conducted our audits in accordance with\nauditing standards generally accepted in the United States of America; the standards applicable to financial\naudits contained in Government Auditing Standards issued by the Comptroller General of the United\nStates; and OMB Bulletin No. 07-04. Those standards and OMB Bulletin No. 07-04, require that we plan\nand perform the audits to obtain reasonable assurance about whether the consolidated financial statements\nare free of material misstatement. An audit includes consideration of internal control over financial\nreporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the\npurpose of expressing an opinion on the effectiveness of SBA\' s internal control over financial reporting.\nAccordingly, we express no such opinion.\n\nAn audit also includes:\n\n\xe2\x80\xa2     Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated\n      financial statements;\n\xe2\x80\xa2     Assessing the accounting principles used and significant estimates made by management; and\n\xe2\x80\xa2     Evaluating the overall consolidated financial statement presentation.\n\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2009 audit, we considered SBA\'s internal control over financial\nreporting by obtaining an understanding of SBA\'s internal control, determining whether internal controls\nhad been placed in operation, assessing control risk, and performing tests of controls as a basis for\ndesigning our auditing procedures for the purpose of expressing our opinion on the consolidated financial\nstatements. We did not test all controls relevant to operating objectives, as broadly defined by the FMFIA.\nThe objective of our audit was not to express an opinion on the effectiveness of SBA\'s internal control\nover ,financial reporting. Accordingly, we do not express an opinion on the effectiveness of SBA\'s internal\ncontrol over financial reporting.\n\nAs part of obtaining reasonable assurance about whether SBA\'s fiscal year 2009 consolidated financial\nstatements are free of material misstatement, we performed tests of SBA\'s compliance with certain\nprovisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a\ndirect and material effect on the determination of the consolidated financial statement amounts, and certain\nprovisions of other laws and regulations specified in OMB Bulletin No. 07-04, including the provisions\nreferred to in Section 803(a) of FFMIA. We limited our tests of compliance to the provisions described in\n\x0cu.s. Small Business Administration\nNovember 13, 2009\nPage 4 of4\n\n\nthe preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant\nagreements applicable to SBA. However, providing an opinion on compliance with laws, regulations,\ncontracts, and grant agreements was not an objective of our audit and, accordingly, we do not express such\nan opinion.\n\n\n\nSBA\'s response to the findings identified in our audit is presented in Exhibit IV. We did not audit SBA\'s\nresponse and, accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of SBA\'s management, SBA\'s Office of\nInspector General, OMB, the U.S. Government Accountability Office, and the U.S. Congress and is not\nintended to be and should not be used by anyone other than these specified parties.\n\n\n\n\nNovember 13, 2009\n\x0c                                                                                                     Exhibit I\n                                   u.s. Small Business Administration\n                                             Material Weakness\n\n\nIntroduction\nExhibit I herein describes the material weakness and Exhibit II describes the control deficiencies, which\ncollectively resulted in a significant deficiency, for the year ended September 30, 2009, and our\nrecommendations. The status of the prior year significant deficiency is reported in Exhibit III, and SBA\nmanagement\'s response is presented in Exhibit IV.\n\nMaterial Weakness\nThe material weakness we identified for the year ended September 30,2009, is summarized below.\n\n(1) Improvement Needed Surrounding Controls Over the Financial Reporting Process\n\nSBA has various reconciliation and data quality improvement procedures between and within its various\nsystems and departments to ensure that the agency\'s financial statements are reasonable and fairly\npresented. The purpose of these procedures is to improve the overall quality of the data SBA uses\ninternally to monitor operations and loan portfolio performance as well as to periodically report to its\nvarious stakeholders, such as the U.S. Department of Treasury and the Office of Management and Budget\n(OMB). However, these procedures need to be strengthened to improve the quality and accuracy of the\nquarterly and year-end financial reporting process.\n\nSBA did not timely identifY a $346.6 milIion overstatement in its financial statements concerning its\nliability for loan guaranties and defaulted loan guaranty receivable balances. The error was due to a lack of\neffective process controls over SBA\'s Return on Assets (ROA) calculation. The ROA calculation is used to\nrecord an alignment entry which adjusts the net defaulted loan guaranty receivable and the liability for loan\nguaranty balances to net present value (NPV) in accordance with Statement of Federal Financial\nAccounting Standards (SFFAS) No.2, Accounting for Direct Loans and Loan Guarantees. One of the\nmain inputs of this calculation is the NPVs generated by the Credit Subsidy Calculator 2 (CSC2). For\ncohorts reestimated using projected disbursements SBA did not properly reduce the NPV amounts on a\nprorata basis to reflect the NPV based on actual disbursements to date.\n\nAdditionally, we noted that the ROA adjusting entry was improperly posted before all loan guaranty\ntransactions were posted to the general ledger. As a result, the defaulted loan guaranty and liability for loan\nguaranty balances were overstated by $32.7 million.\n\nThe lack of process controls resulted in cumulative misstatements totaling $379.3 million related to the\ndefaulted loan guaranties and liability for loan guaranty balances at September 30, 2009. SBA\nsubsequently recalculated the alignment entry and reposted the transactions to correct the balances in error.\n\nOMB Circular A-123, Management\'s Responsibility for Internal Controls, states: "management is\nresponsible for establishing and maintaining internal control to achieve the objectives of effective and\nefficient operations, reliable financial reporting, and compliance with applicable laws and regulations.\nManagement shall consistently apply the internal control standards to meet each of the internal control\nobjectives and to assess internal control effectiveness."\n\n\n\n\n                                                     1-1\n\x0c                                                                                               Exhibit I\n                                 u.s. Small Business Administration\n                                          Material Weakness\n\n\nRecommendations\n\nWe recommend that the Chief Financial Officer:\n\n1. Implement a reconciliation procedure in which a staff member traces and agrees the NPV in the ROA\n   calculation to the outputs generated by the CSC2 prior to posting the alignment entry in the general\n   ledger.\n\n2. Develop policies and procedures to ensure the ROA alignment entry is made after all credit reform loan\n   guaranty activity has been posted to the general ledger.\n\n3. Enhance SBA\'s procedures related to its in-depth analysis of the valuation of the liability for loan\n   guaranties and defaulted loan guaranty receivable balances to ensure the balances are properly\n   presented at the NPV in accordance with SFFAS No.2.\n\n\n\n\n                                                  1-2\n\x0c                                                                                                      Exhibit II\n                                     U.S. Small Business Administration\n                                           Significant Deficiency\n\n\nThe significant deficiency identified for the year ended September 30,2009, is summarized below:\n\n(2) Improvement Needed in Information Technology (11) Security Controls\n\nDuring fiscal year 2009, we noted that SBA made progress in several areas in its efforts to address prior\nyear IT internal control deficiencies. Despite these improvements, we also noted that deficiencies\ncontinued to exist in the areas of security access controls, software program changes, patch management,\nand end-user computing.\nSecurity Access Controls\n\nIntegral to an organization\'s security program management efforts, technical security access controls for\nsystems and applications should provide reasonable assurance that IT resources, such as data files,\napplication programs, and IT-related facilities/equipment, are protected against unauthorized modification,\ndisclosure, loss, or impairment.\n\nA summary of the security ac.cess control deficiencies we identified during the fiscal year 2009 SBA\nfinancial statement audit follows:\n\xe2\x80\xa2   We noted several C <.- \'" -z..                  :I vulnerabilities, with G:..I< \xe2\x80\xa2 z..   ") hosted by SBA\' s\n    (u<-. z.                                                                .J servi.ce provider. Details are not\n    provided in this report due to their sensitivity, but have been provided to SBA management. Many of\n    these issues were tracked by the internal (<.A 2.. :l support team; however, the issues were not\n    appropriately tracked and prioritized by the Plan of Action and Milestones (POA&M) in which the\n    Office of Chief Information Officer (OCIO) provides oversight and management.\n\n\xe2\x80\xa2   We noted security vulnerabilities with (<><... -z. :Jhosted in the C. ~ . z.             =l Details are\n    not provided in this report due to their sensitivity, but have been provided to SBA management.\n    Although we noted improvement in this area since fiscal year 2008, consistent and periodic completion\n    of vulnerability scans would have helped SBA reduce the number of vulnerabilities.\n\n\xe2\x80\xa2   We identified access control weaknesses through our technical vulnerability testwork C~.             z..\n                   J.\n\xe2\x80\xa2   Validation of physical access to the data center at C~. \'-          :J is not performed in accordance\n    with SBA Standard Operating Procedure (SOP) 90-47.2, Automated Information Systems Security\n    Program, which requires that a listing of authorized personnel for SBA computer facilities (e.g., server\n    rooms) be maintained, and access be revalidated at least quarterly. In addition, we noted that visitor\n    logs at C<.J<.. 1-                                        ] were not fully completed.\n\n\xe2\x80\xa2   OCIO management was unable to provide reasonable assurance that electronic media is sufficiently\n    sanitized prior to disposal, in accordance with SOP 90-47.2. The SOP requires that (1) media must be\n    sanitized prior to disposal by using one of the three approved methods: overwriting, degaussing, or\n    destruction, and (2) a log of who completed the sanitation action must be maintained.\n\n\xe2\x80\xa2   OCIO management was unable to provide reasonable assurance that user access to the ~.LJ system\n    was appropriately authorized and approved, in accordance with National Institute of Standards and\n                                                    II-I\n\x0c                                                                                                        Exhibit II\n                                   U.S. Small Business Administration\n                                           Significant Deficiency\n\n\n    Technology (NIST) Special Publication 800-53, Recommended Security Controls for Federal\n    Information Systems, Section AC-2.\n\n\xe2\x80\xa2   OCIO management does not enforce a process for monitoring, reviewing, and signing-off on the audit\n    logs C-uo.. \'L\n                                :J.\nThe majority of the above issues are consistent with findings identified by the Office of Inspector General\n(OIG) in past years. In fact, the OIG has identified IT security as a significant SBA management challenge\nsince at least fiscal year 2000.\n\nRecommendations - Security Access Controls:\n\nWe recommend that the ChiefInformation Officer (CIO) coordinate with SBA program offices to:\n\n4. Improve the vulnerability tracking and monitoring process to include unresolved\n   vulnerabilities in the C<\'" .l-J POA&M.\n\n5. C~z..\n                                                                                                 J.\n\n6. Develop a more thorough approach to track and mitigate patch management and configuration\n   management vulnerabilities identified during (~.z.J scans.\n\n7. Prevent users from C <JC. \xe2\x80\xa2 2.                  :J to the [U<..       2.                  ~   by developing\n   and implementing procedures for ensuring mandatory [Qo..z.                                             ].\n\n8. Implement controls to comply with SOP 90-47.2 regarding the validation of Coo... 2-            :I to the data\n   center.\n\n9. Implement procedures to control the process for requesting and granting access to the (~.\'1..J system,\n   and implement procedures to retain the appropriate approval evidence for tracking and validation.\n\n10. Implement a process to monitor the audit logs of all (.~. z...            ::l on a regular basis.\nSoftware Program Changes\nThe primary focus of an organization\'s software change controls (which also encompasses patch\nmanagement and configuration management efforts) is on controlling the software changes made to\nsystems and applications in operation. Without such controls, there is a risk that security features could be\ninadvertently or deliberately omitted or turned off, or that processing irregularities or malicious code could\nbe introduced into the IT environment.\n\n\n\n\n                                                    11-2\n\x0c                                                                                                  Exhibit II\n                                  u.s. Small Business Administration\n                                          Significant Deficiency\n\n\n\nA summary of the software program change control deficiencies we identified during the fiscal year 2009\nSBA financial statement audit follow:\n\n\xe2\x80\xa2   An agency-wide change control process has not been implemented, and the Enterprise Change Control\n    Board (ECCB) charter is in draft form. In fiscal year 2008, the Office of the ChiefInformation Officer\n    (OCIO) stated that the ECCB charter would be implemented and that it would adhere to the IT\n    Infrastructure Library.\n\n\xe2\x80\xa2   The OCIO was unable to provide evidence" that (l) testing and approvals were performed for six of\n    eight selected LAN\\WAN operating system changes, (2) testing and approvals were performed for\n    eight of eight selected Financial Reporting Information System (FRIS) operating system changes, and\n    (3) the listing of JAAMS operating system changes was complete and accurate.     "\n\n\xe2\x80\xa2   The OCIO was unable to provide evidence that changes to the LANIWAN were appropriately tracked,\n    approved, and implemented for the selected sample of seven application changes.\n\n\xe2\x80\xa2   Change controls to management LAN/WAN emergency changes were not sufficient. The OCIO was\n    unable to provide testing results and approvals for two of the three selected emergency changes.\n\n\xe2\x80\xa2   The Office of the Chief Financial Officer (OCFO) was unable to provide evidence that the software\n    change requests were consistently completed for JAAMS and the FRIS.\n\n\xe2\x80\xa2   The OCIO was unable to provide evidence that baseline configurations for LAS were updated in a\n    timely manner. Documented baseline configurations enable the process of tracking and controlling\n    software changes, especially as system security settings are changed.\n\nRecommendations - Software Program Changes:\n\nWe recommend the CIO:\n\n11. Oversee the development of a finalized ECCB charter that is supported by a promulgated SOP.\n\n12. Implement procedures for documenting operating system, software, and emergency change testing\n    results, testing approvals, and final approvals. Specifically, such procedures and controls need to be\n    applied for the LAN\\WAN.\n\nWe recommend the CFO:\n\n13. Implement a process to capture all change requests for JAAMS.\n\n14. Ensure consistent application of procedures for documenting operating system change testing results,\n    testing approvals, and final approvals. Specifically, such procedures and controls need to be applied for\n    the FRIS.\n\n\n\n\n                                                    II-3\n\x0c                                                                                                 Exhibit II\n                                  u.s. Small Business Administration\n                                          Significant Deficiency\n\n\nEnd-user Computing\nEnd-user computing tools/programs (e.g., spreadsheets and other user-developed programs) present the\nneed for a unique set of general control procedures within an organization. By its nature, end-user\ncomputing brings the development and processing of information systems closer to the user. End-user\ncomputing capabilities typically include access to any end-user developed programs or objects, such as\nspreadsheets that contain critical data/information. Critical data/information could include personally\nidentifiable information (PH) and financial data. While this environment may not typically be subjected to\nthe same level of rigor and structure as an IT general controls environment, policies and procedures in this\narea are important to the overall IT environment. During our follow-up on this prior year deficiency, we\nnoted that the policy and procedure has been drafted, but, had yet to be finalized, approved, and\nimplemented in the SBA environment.\n\nRecommendations - End-user Computing:\n\n15. We recommend the Senior Policy Analyst in the Office of the Administrator coordinate with program\n    offices using end-user programs containing sensitive data, such as PH and financial data, to implement\n    end-user computing procedures in accordance with the guidance provided by the OCIO.\n\n\n\n\n                                                   II-4\n\x0c                                                                                                 Exhibit III\n                               u.s. Small Business Administration\n                             Status of Prior Year Significant Deficiency\n\n\nFiscal Year 2008 Finding                            Fiscal Year 2009 Status of Finding\n\n1. Improvement needed in management information     During our review of SBA\'s information technology\n   technology security controls                     (IT) general and application controls, we noted\n                                                    improvements in remote access authorizations, C~. z..\n\n                                                           :l sanitization over sensitive media, and user\n                                                    account recertification for the Loan Accounting\n                                                    System and the LANIWAN. However, we continued to\n                                                    identify opportunities for SBA to improve\xc2\xb7 its internal\n                                                    controls. The control deficiencies that continue to exist\n                                                    are in the following areas: security access controls,\n                                                    software program changes, and end-user computing.\n                                                    This year, we also noted weaknesses in port security\n                                                    and the monitoring of system audit logs.\n\n                                                    Therefore, in fiscal year 2009, the presentation of the\n                                                    issue was modified to reflect current year operations,\n                                                    and we continue to report a significant deficiency in\n                                                    internal controls as it relates to IT systems and their\n                                                    impact on the consolidated financial statements. See\n                                                    Exhibit I for additional information.\n\n\n\n\n                                                 III-I\n\x0c                                                                                                Exhibit IV\n\n    \\,.&:.,\n\n~\n.\n\n.\n~\n              .                U.S. SMALL BUSINESS ADMINISTRATION\n                                         WASHINGTON.    D.C. 20411\n\n    """ST"~\n\n\n\n\n              DATE:          November 13,2009\n\n              TO:            Debra Ritt. Assistant IG for Auditing\n                                  [Dc..~J                         -\n              FROM:          Jononllcin:-e<1l ver, Chief Financial Officer\n\n              SUBJECT:       Dran Audit Report on FY 2009 Financial Statements\n\n              The Small Business Administration is in receipt of the draft Independent Auditors\'\n              Report from KPMG that includes the auditor\'s opinion on the financial statements and\n              review of the Agency\'s internal control over financial reporting and compliance with\n              laws and regulations. The independent audit of the Agency\'s financial statements and\n              related processes is a core component of SBA\' s financial management program.\n\n              We are delighted that the SBA has again received an unqualified audit opinion from the\n              independent auditor. We believe these results accurately reflect the quality of the\n              Agency\'s financial statements and our improved accounting, budgeting and reporting\n              processes. As you know, the SBA has worked hard over the past several years to address\n              the findings from our independent auditors. Our core financial reporting data and\n              processes have improved. substantially and we are proud that the results of our efforts\n              have been confirmed by the independent auditor. The draft audit report contains a\n              material weakness concerning controls around the Liability for Loan Guaranties (LLG)\n              and the Return On Assets (ROA). This calculation is performed once a year under severe\n              time constraints. The SBA has procedures in place for this calculation; however due to\n              time constraints the procedure was not completely followed. SBA will ~mprove the\n              process controls around Loan Liability Guaranties (LLG) and Return On Assets (ROA) in\n              order to mitigate the significant time constraints during the audit. It is notable that this\n              error was corrected within hours upon notification by the auditors.\n\n              The audit report includes a continuing significant deficiency in the SBA\'s information\n              technology controls. As the auditors noted in their report on the 2009 financial\n              statements, the SBA made substantial progress in resolving IT deficiencies. The SBA\n              will continue to improve the Agency\'s IT security during the upcoming fiscal year. The\n              SBA is developing plans to track, monitor, and aggressively mitigate vulnerabilities in all\n              agency systems. Furthermore, the SBA will clarify and strengthen detailed procedures\n\x0c                                                                                    Exhibit IV\n\n\nrequired to ensure security access controls are in place to protect SBA data from\nunauthorized modification, disclosure, and loss.\n\nThe audit report contains one instance of non-compliance with applicable laws and\nregulations as of September 30, 2009 that the SBA identified. During FY 2009, the SBA\ndid not refer a substantial number of loans to the Treasury Department for cross-servicing\nor for the Treasury offset. The SBA management team established a Debt Collection\nImprovement Act (DCIA) team to tackle the problem comprised of members from the\nOffices of Capital Access, Chief Financial Officer and Chief Information Officer. The\nroot of this error was identified as a system coding error. The error has since been\ncorrected and additional resources have been allocated to refer these loans to the Treasury\nwithin the next six months. A mitigation plan is in place to ensure that this error does not\noccur in the future.\n\nWe appreciate all of your efforts and those of your colleagues in the Office of the\nInspector General as well as those of KPMG. The independent audit process continues to\nprovide us with new insights and valuable recommendations that will further enhance\nSBA\'s financial management practices. We continue to be committed to excellence in\nfinancial management and look forward to making more progress in the coming year.\n\x0c'